Hi guys,



Basically my softphone app provider (Ringotel) has told me to whitelist their IP in my firewall.



I am using an on-premises IP PBX FreePBX server for my phone system. I am trying to switch over my router from a Cisco Meraki MX64 router to a Mikrotik RB2011 iL-RM. So far everything has worked EXCEPT one thing.



I am able to ring my DID, which attempts to call my FreePBX server via my public IP and port forwarding. It suceeds in getting to my FreePBX server. In fact, with my desktop phones, and other softphone apps (e.g. Linphone) it works perfectly, I am able to call and connect and hear audio. With Ringotel it connects BUT I can't hear audio!



Ringotel is a cloud based softphone, so you configure it in the cloud and it connects to your PBX through the internet. However, my desktop phones and Linphone are both provisioned in the Local area network. I believe that is why they work but Ringotel does not.



Anyway, ringotel have told me to try and check if I can whitelist their IP. From what I can see in Mikrotik, given the 'source address' in my Firewall -> NAT rule is blank, this means ALL IPs are whitelisted, correct? So its already white listed?

post your config /export and remove or fake any actual Public IP numbers from the ISP (wan IP, WAN gateway IP etc...)

Whitelisting must been looked at in another context : DENY everyone BUT "whitelist" SOME (or 1)
So YES, your (D)NAT rule is probably open for the whole world but I would not call that a correct "whitelist" setup.
So either

1) Populate the "src address" field in the NAT rule with the IP provided by your cloud-provider
2) Create an "address list" object, and put that IP in there (along with possibly others) and then in the (D)NAT-rule refer to this list in the "src address list" field

post your config /export and remove or fake any actual Public IP numbers from the ISP (wan IP, WAN gateway IP etc...)

Can't see my public IP anywhere, if you do let me know

# jul/25/2022 20:44:51 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = E7DD0F73B4C5
/interface bridge
add admin-mac=DC:2C:6E:4C:59:6F auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=eircom
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.218 client-id=1:0:1f:c1:1c:c9:80 mac-address=\
00:1F:C1:1C:C9:80 server=defconf
add address=192.168.88.216 client-id=1:0:1f:c1:1c:c4:20 mac-address=\
00:1F:C1:1C:C4:20 server=defconf
add address=192.168.88.215 client-id=1:0:1f:c1:1c:c4:1b mac-address=\
00:1F:C1:1C:C4:1B server=defconf
add address=192.168.88.214 client-id=1:0:1f:c1:1c:c4:1c mac-address=\
00:1F:C1:1C:C4:1C server=defconf
add address=192.168.88.213 client-id=1:0:1f:c1:1c:c4:8b mac-address=\
00:1F:C1:1C:C4:8B server=defconf
add address=192.168.88.212 client-id=1:0:1f:c1:1c:c4:91 mac-address=\
00:1F:C1:1C:C4:91 server=defconf
add address=192.168.88.211 client-id=1:0:1f:c1:1c:c9:7b mac-address=\
00:1F:C1:1C:C9:7B server=defconf
add address=192.168.88.209 client-id=1:38:22:e2:9f:d:91 mac-address=\
38:22:E2:9F:0D:91 server=defconf
add address=192.168.88.207 client-id=1:0:1f:c1:1c:c4:90 mac-address=\
00:1F:C1:1C:C4:90 server=defconf
add address=192.168.88.206 client-id=1:0:1f:c1:1c:c4:8d mac-address=\
00:1F:C1:1C:C4:8D server=defconf
add address=192.168.88.205 client-id=1:0:1f:c1:1c:c4:8f mac-address=\
00:1F:C1:1C:C4:8F server=defconf
add address=192.168.88.204 client-id=1:0:1f:c1:1c:c4:92 mac-address=\
00:1F:C1:1C:C4:92 server=defconf
add address=192.168.88.203 client-id=1:0:1f:c1:1c:c4:89 mac-address=\
00:1F:C1:1C:C4:89 server=defconf
add address=192.168.88.202 client-id=1:0:1f:c1:1c:c4:1e mac-address=\
00:1F:C1:1C:C4:1E server=defconf
add address=192.168.88.201 client-id=1:0:1f:c1:1c:c4:22 mac-address=\
00:1F:C1:1C:C4:22 server=defconf
add address=192.168.88.200 client-id=1:0:1f:c1:1c:c4:8c mac-address=\
00:1F:C1:1C:C4:8C server=defconf
add address=192.168.88.199 client-id=1:0:1f:c1:1c:c4:1f mac-address=\
00:1F:C1:1C:C4:1F server=defconf
add address=192.168.88.198 client-id=1:0:1f:c1:1c:c4:23 mac-address=\
00:1F:C1:1C:C4:23 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=FreepbxSIP dst-port=5060 \
in-interface-list=WAN protocol=udp to-addresses=192.168.88.232 to-ports=\
5060
add action=dst-nat chain=dstnat comment="FreePBX Tunnel TCP" dst-port=5090 \
protocol=tcp to-addresses=192.168.88.232 to-ports=5090
add action=dst-nat chain=dstnat comment="FreePBX Tunnel UDP" dst-port=5090 \
protocol=udp to-addresses=192.168.88.232 to-ports=5090
add action=dst-nat chain=dstnat comment="FreePBX SIP UDP" dst-port=5060 \
protocol=udp to-addresses=192.168.88.232 to-ports=5060
add action=dst-nat chain=dstnat comment="FreePBX SIP TCP" dst-port=5060 \
protocol=tcp to-addresses=192.168.88.232 to-ports=5060
add action=dst-nat chain=dstnat comment="FreePBX SIP TLS" dst-port=5061 \
protocol=tcp to-addresses=192.168.88.232 to-ports=5061
add action=dst-nat chain=dstnat comment="FreePBX Media UDP" dst-port=\
2000-60000 protocol=udp to-addresses=192.168.88.232 to-ports=2000-60000
/ip firewall service-port
set sip disabled=yes sip-timeout=59w3d15h
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Dublin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Whitelisting must been looked at in another context : DENY everyone BUT "whitelist" SOME (or 1)
So YES, your (D)NAT rule is probably open for the whole world but I would not call that a correct "whitelist" setup.
So either

1) Populate the "src address" field in the NAT rule with the IP provided by your cloud-provider
2) Create an "address list" object, and put that IP in there (along with possibly others) and then in the (D)NAT-rule refer to this list in the "src address list" field

Hi, thank you for the advice.

You are correct, it is not a good set up and it is open for the whole world, however I am going to try and get it working with the minimum security, then once its configured, I will restrict it like you said. Because I don't want to make it harder to get it working, by restricting to certain IPs, in case it doesnt work I will not know if I am blocking an IP.

So I guess i am correct in thinking the IP is already 'whitelisted' given that I have no rule set up to blacklist or whitelist anything, and all IPs are allowed to try make calls on my PBX port

If you have to open a port to an outside agency, its only correct that they provide you with their static WANIP or DYNDNS name in case it changes. THE MT will resolve that for you.
As suggested then add to the dst-nat rule the src-address or if they multiple make an ip firewall address list and the rule will be src-address=list=

The advantage of this approach is two fold, one only the source IP should be able to access the particular devices and the associated ports will not appear (invisible) on a portscan.
Without source address, the ports will appear with status of closed but visible on a scan.

One would assume that if someone spoofed their wanip and gained access to devices, that there would be some level of password protection, encryption or some means of protection??

I fixed it guys!!!

I think the issue was my firewall NAT configuration.

I had a rule for UDP port 5060 for SIP, and then I have a rule for UDP port 2000-65001 for RTP (the config posted above may not represent that, as I have changed this rule alot to try get RTP working)

However I did not have the 'In. Interface List' set to WAN for the UDP port 2000-65001 rule (which is for RTP), and also the two rules may have interfered with each other? Not entirely sure. I deleted the UDP 5060 rule, and just had one rule for UDP 2000-65001 which I moved to the top of the NAT rule list, and now RTP calls work, including with the ringotel softphone.. thanks for the help. I will make sure to try and block all IPs except neccessary ones.

Whitelisting must been looked at in another context : DENY everyone BUT "whitelist" SOME (or 1)
So YES, your (D)NAT rule is probably open for the whole world but I would not call that a correct "whitelist" setup.
So either

1) Populate the "src address" field in the NAT rule with the IP provided by your cloud-provider
2) Create an "address list" object, and put that IP in there (along with possibly others) and then in the (D)NAT-rule refer to this list in the "src address list" field

So I guess i am correct in thinking the IP is already 'whitelisted' given that I have no rule set up to blacklist or whitelist anything, and all IPs are allowed to try make calls on my PBX port

Correct, I advise you to at least put the public IP of the cloud-provider in the DNAT rules applicable to "limit" the accessibility of this PBX-service!

/ip firewall service-port
set sip disabled=yes sip-timeout=59w3d15h

Mmm..... I use VoIP SIP phones with that helper active (but 1h, not ~60w)
without the need of use any form of NAT for SIP & Co. ports.
And also without "stun".

But I have everytime a public not shared address on Router WAN.

If you have to open a port to an outside agency, its only correct that they provide you with their static WANIP or DYNDNS name in case it changes. THE MT will resolve that for you.
As suggested then add to the dst-nat rule the src-address or if they multiple make an ip firewall address list and the rule will be src-address=list=

The advantage of this approach is two fold, one only the source IP should be able to access the particular devices and the associated ports will not appear (invisible) on a portscan.
Without source address, the ports will appear with status of closed but visible on a scan.

One would assume that if someone spoofed their wanip and gained access to devices, that there would be some level of password protection, encryption or some means of protection??

Thanks, I will make sure to configure the firewall to only allowed certain source addresses. I will have to make a list because there are a lot of them.

Yes, there is credential authorization which is the way I connect to the two SIP Trunk providers I have.

Thanks again!